[Owasp-modsecurity-core-rule-set] Unknown blockage

AFaller at excelsior.edu AFaller at excelsior.edu
Thu Mar 25 15:29:24 EDT 2010 

Hi - 

I'm upgrading from Core Rules 1.x to 2.0.6, and for the life of me I can't 
figure out whats blocking a bunch of requests going to images, css and 
auxilary files after I set my secdefaultaction from pass --> fail.

I'm running modsec 2.5.12 on httpd 2.2.14 on redhat 4 in a proxy 
situation.  Below is the audit log of a failed transaction.  I've scrubbed 
some cookies, IPs and such.  Many of the rules that it matched on don't 
make sense - for instance two seem to reference content in my GET, but as 
you can see from the audit log - that is not true.

basically, I switch from SecDefaultAction "phase:2,pass" to 
SecDefaultAction "phase:2,deny" and things blow up.

Thanks in advance.

--c7bc2307-A--
[25/Mar/2010:15:17:52 --0400] S6u24KwQx3QAAD98Wq4AAAAF xxxxxx 4913 xxxxxxx 
8081
--c7bc2307-B--
GET /portal/page/portal/EC_Images/Navigation/SHADOW_WHITE.gif HTTP/1.1
Host: portaltest.xxxxxxxxxxxx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) 
Gecko/20100316 Firefox/3.6.2 (.NET CLR 3.5.30729)
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://portaltest.xxxxxxxxx
Cookie: ZZZZZZZZZZZZZ
Cache-Control: max-age=0
--c7bc2307-F--
HTTP/1.1 403 Forbidden
Last-Modified: Wed, 28 May 2008 15:12:28 GMT
ETag: "1958230-432-44e4bd7454f00"
Accept-Ranges: bytes
Vary: User-Agent
Keep-Alive: timeout=15, max=199
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
--c7bc2307-H--
Action: Intercepted (phase 4)
Stopwatch: 1269544672616177 32476 (1886 4785 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); 
core ruleset/2.0.6.
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.7a mod_jk/1.2.28
--c7bc2307-K--
SecAction 
"phase:1,auditlog,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:tx.paranoid_mode=0"
SecAction 
"phase:1,auditlog,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20"
SecAction 
"phase:1,auditlog,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=15"
SecAction 
"phase:1,auditlog,t:none,nolog,pass,setvar:tx.critical_anomaly_score=20,setvar:tx.error_anomaly_score=15,setvar:tx.warning_anomaly_score=10,setvar:tx.notice_anomaly_score=5"
SecAction "phase:1,auditlog,t:none,nolog,pass,setvar:tx.max_num_args=255"
SecAction 
"phase:1,auditlog,t:none,nolog,pass,setvar:'tx.allowed_methods=GET HEAD 
POST 
OPTIONS',setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded 
multipart/form-data text/xml 
application/xml',setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 
HTTP/1.1',setvar:'tx.restricted_extensions=.asa .asax .ascx .axd .backup 
.bak .bat .cdx .cer .cfg .cmd .com .config .conf .cs .csproj .csr .dat .db 
.dbf .dll .dos .htr .htw .ida .idc .idq .inc .ini .key .licx .lnk .log 
.mdb .old .pass .pdb .pol .printer .pwd .resources .resx .sql .sys .vb 
.vbs .vbproj .vsdisco .webinfo .xsd 
.xsx',setvar:'tx.restricted_headers=Lock-Token Content-Range Translate via 
if'"
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" 
"phase:2,chain,rev:2.0.6,t:none,pass,nolog,auditlog,msg:'GET or HEAD 
requests with 
bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,tag:http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3"
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" 
"phase:2,deny,chain,rev:2.0.6,t:none,nolog,auditlog,msg:'Request 
Containing Content, but Missing Content-Type header',id:960904,severity:5"
SecRule "&TX:MAX_NUM_ARGS" "@eq 1" 
"phase:2,chain,t:none,pass,nolog,auditlog,msg:'Too many arguments in 
request',id:960335,severity:4,rev:2.0.6"
SecRule "REQUEST_BASENAME" "@rx \\.(.*)$" 
"phase:2,chain,capture,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,auditlog,msg:'URL 
file extension is restricted by 
policy',severity:2,id:960035,tag:POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,logdata:%{TX.0}"
SecRule "TX:PARANOID_MODE" "!@eq 1" 
"phase:2,t:none,nolog,skipAfter:END_SESSION_FIXATION"
SecRule "TX:PARANOID_MODE" "!@eq 1" 
"phase:2,t:none,nolog,skipAfter:END_FILE_INJECTION"
SecRule "TX:PARANOID_MODE" "!@eq 1" 
"phase:2,t:none,nolog,skipAfter:END_COMMAND_ACCESS"
SecRule "TX:PARANOID_MODE" "!@eq 1" 
"phase:2,t:none,nolog,skipAfter:END_COMMAND_INJECTION"
SecRule "TX:PARANOID_MODE" "!@eq 1" 
"phase:2,rev:2.0.6,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK"
SecRule "TX:PARANOID_MODE" "!@eq 1" 
"phase:2,t:none,nolog,skipAfter:END_XSS_CHECK"
SecRule "RESPONSE_BODY" "!@pm iframe" 
"phase:4,rev:2.0.6,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,nolog,skipAfter:END_IFRAME_CHECK"
SecRule "RESPONSE_BODY" "!@pmFromFile modsecurity_50_outbound.data" 
"phase:4,rev:2.0.6,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK"
--c7bc2307-Z--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20100325/5aea6eb2/attachment.html

More information about the Owasp-modsecurity-core-rule-set mailing list